chore(deps): bump the npm_and_yarn group across 8 directories with 23 updates by dependabot[bot] · Pull Request #36 · trust0-project/uaito

dependabot · 2026-05-04T03:15:32Z

Bumps the npm_and_yarn group with 22 updates in the / directory:

Package	From	To
nodemailer	`7.0.9`	`8.0.5`
vite	`6.3.6`	`6.4.2`
lodash	`4.17.21`	`4.18.1`
uuid	`10.0.0`	`14.0.0`
jspdf	`2.5.2`	`4.2.1`
next	`15.5.3`	`15.5.15`
webpack	`5.101.3`	`5.104.1`
@isaacs/brace-expansion	`5.0.0`	`5.0.1`
@modelcontextprotocol/sdk	`1.20.0`	`1.29.0`
axios	`1.12.2`	`1.16.0`
basic-ftp	`5.0.5`	`5.3.1`
bn.js	`4.12.2`	`4.12.3`
flatted	`3.3.3`	`3.4.2`
follow-redirects	`1.15.11`	`1.16.0`
handlebars	`4.7.8`	`4.7.9`
minimatch	`3.1.2`	`3.1.5`
picomatch	`2.3.1`	`2.3.2`
protobufjs	`6.11.4`	`6.11.6`
rollup	`4.50.1`	`4.60.2`
svgo	`2.8.0`	`2.8.2`
tar	`7.4.3`	`7.5.13`
undici	`6.21.3`	`6.25.0`

Bumps the npm_and_yarn group with 3 updates in the /apps/uaito directory: uuid, jspdf and next.
Bumps the npm_and_yarn group with 1 update in the /packages/anthropic directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/api directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/google directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/huggingFace directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/openai directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/sdk directory: uuid.

Updates nodemailer from 7.0.9 to 8.0.5

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

decode SMTP server responses as UTF-8 at line boundary (95876b1)

sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

clean up addressparser and fix group name fallback producing undefined (9d55877)

fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)

refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)

remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

merge fragmented display names with unquoted commas in addressparser (fe27f7f)

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

absorb TLS errors during socket teardown (7f8dde4)

absorb TLS errors during socket teardown (381f628)

Add Gmail Workspace service configuration (#1787) (dc97ede)

v8.0.0

8.0.0 (2026-02-04)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

decode SMTP server responses as UTF-8 at line boundary (95876b1)

sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

8.0.4 (2026-03-25)

Bug Fixes

sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

clean up addressparser and fix group name fallback producing undefined (9d55877)

fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)

refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)

remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

absorb TLS errors during socket teardown (7f8dde4)

absorb TLS errors during socket teardown (381f628)

Add Gmail Workspace service configuration (#1787) (dc97ede)

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

... (truncated)

Commits

202cfb3 chore(master): release 8.0.5 (#1809)
b634abf docs: add CLAUDE.md with project conventions and release process
95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
08e59e6 chore: update dev dependencies
2d31975 chore(master): release 8.0.4 (#1806)
2d7b971 fix: sanitize envelope size to prevent SMTP command injection
4e702e9 chore(master): release 8.0.3 (#1804)
c803d90 fix: remove familySupportCache that broke DNS resolution tests
e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
Additional commits viewable in compare view

Updates vite from 6.3.6 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
See full diff in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates uuid from 10.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

expect crypto to be global everywhere (requires node@20+) (#935)

drop node@18 support (#934)

Features

drop node@18 support (#934) (dc4ddb8)

Bug Fixes

expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)

Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

Bug Fixes

backport fix for GHSA-w5hq-g745-h8pq (3d61d6a)

v12.0.0

12.0.0 (2025-09-05)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

crypto is now expected to be globally defined (requires node@20+) (#935)

drop node@18 support (#934)

upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

make browser exports the default (#901)

Bug Fixes

make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

update to typescript@5.2 (#887)

remove CommonJS support (#886)

drop node@16 support (#883)

Features

add node@24 to ci matrix (#879) (42b6178)

drop node@16 support (#883) (0f38cf1)

remove CommonJS support (#886) (ae786e2)

update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

improve v4() performance (#894) (5fd974c)

restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

7c1ea08 chore(main): release 14.0.0 (#926)
3d2c5b0 Merge commit from fork
f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
529ef08 chore: upgrade TypeScript and fixup types (#927)
086fd79 chore: update dependencies (#933)
dc4ddb8 feat!: drop node@18 support (#934)
0f1f9c9 chore: switch to Biome for parsing and linting (#932)
e2879e6 chore: use maintained version of npm-run-all (#930)
ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
0423d49 docs: remove obsolete v1 option notes (#915)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates jspdf from 2.5.2 to 4.2.1

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

Fix HTML Injection in output methods vulnerability.

Fix PDF Object Injection via free text annotation color vulnerability.

Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.

Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.

Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.

Add "default" property to export section in package.json by @stefan-schweiger in parallax/jsPDF#3953

New Contributors

@stefan-schweiger made their first contribution in parallax/jsPDF#3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability

Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability

Fix Shared State Race Condition in addJS Method vulnerability

Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

[Snyk] Upgrade @babel/runtime from 7.28.3 to 7.28.4 by @MrRio in parallax/jsPDF#3895

fix: cell function now properly accepts align parameter by @vishal-rathod-07 in parallax/jsPDF#3896

Remove duplicated function "ga" from WebPDecoder.js by @jvdp in parallax/jsPDF#3902

Fix font state management issue #3890 by @srikanth-s2003 in parallax/jsPDF#3891

Fix pages property to always return current array reference ( #3898 ) by @Opineppes in parallax/jsPDF#3899

Fix jsPDF + Vite compatibility issue #3851 by @tishajain25 in parallax/jsPDF#3903

... (truncated)

Commits

4562ce8 4.2.1
4155c48 Merge commit from fork
87a40bb Merge commit from fork
b1607a9 Bump minimatch from 3.1.2 to 3.1.5 (#3961)
42ac890 Bump rollup from 2.79.2 to 2.80.0 (#3960)
7af912c 4.2.0
56b46d4 Merge commit from fork
2e5e156 Merge commit from fork
71ad2db Merge commit from fork
885a777 fix: upgrade @babel/runtime from 7.28.4 to 7.28.6 (#3954)
Additional commits viewable in compare view

Updates next from 15.5.3 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)

Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @styfle and @lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @ztanner for helping!

Commits

412eb90 v15.5.15
cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
fffef9e Fix CI for glibc linux builds
d7b012d v15.5.14
2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
cfd5f53 v15.5.13
15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
d23f41c v15.5.12
8e75765 fix unlock in publish-native
Additional commits viewable in compare view

Updates webpack from 5.101.3 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

Added DotenvPlugin and top level dotenv option to enable this plugin

Added WebpackManifestPlugin

Added support the ignoreList option in devtool plugins

Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

24e3c2d chore(release): new release (#20253)
2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
4b0501c ci: fix release (#20252)
0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
5bf8bc5 refactor: types for benchmarks and tests
505a5e7 chore(release): new release (#20188)
0c06680 refactor: update eslint configuration
2eb0d6a ci: release announcement (#20238)
b2b2459 ci: cancel in progress (#20239)
Additional commits viewable in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates @modelcontextprotocol/sdk from 1.20.0 to 1.29.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @felixweinberger in modelcontextprotocol/typescript-sdk#1749

[v1.x] fix: disallow null (infinite) requested TTL by @LucaButBoring in modelcontextprotocol/typescript-sdk#1339

[v1.x] fix: add missing size field to ResourceSchema by @olaservo in modelcontextprotocol/typescript-sdk#1575

Add typings exports by @tdraier in modelcontextprotocol/typescript-sdk#1623

v1.x npm audit fix by @KKonstantinov in modelcontextprotocol/typescript-sdk#1780

v1.x #1623 follow up -add missing types to package.json by @KKonstantinov in modelcontextprotocol/typescript-sdk#1773

[v1.x backport] Allow servers / clients to advertise extensions in the capability object by @localden in modelcontextprotocol/typescript-sdk#1811

fix(stdio): always set windowsHide on Windows, not just in Electron by @jnMetaCode in modelcontextprotocol/typescript-sdk#1640

chore: bump version to 1.29.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

@tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623

@jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

feat: use scopes_supported from resource metadata by default (fixes #580) by @antogyn in modelcontextprotocol/typescript-sdk#757

[v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @pcarleton in modelcontextprotocol/typescript-sdk#1611

fix: reject plain JSON Schema objects passed as inputSchema by @tiluckdave in modelcontextprotocol/typescript-sdk#1596

fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @pcarleton in modelcontextprotocol/typescript-sdk#1462

fix(server/auth): RFC 8252 loopback port relaxation by @poteat in modelcontextprotocol/typescript-sdk#1738

chore: bump version to 1.28.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

@antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757

@tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596

@poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

feat: implement auth/pre-registration conformance scenario by @felixweinberger in modelcontextprotocol/typescript-sdk#1545

docs: add governance documentation for SEP-1730 by @felixweinberger in modelcontextprotocol/typescript-sdk#1547

docs: comprehensive feature documentation for SEP-1730 Tier 1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1548

fix: prevent command injection in example URL opening (v1.x backport) by @maxisbey in modelcontextprotocol/typescript-sdk#1579

fix: call onerror for silently swallowed transport errors by @qing-ant in modelcontextprotocol/typescript-sdk#1580

chore: bump version to 1.27.1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

@qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

e12cbd7 chore: bump version to 1.29.0 (#1820)
3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
364f38c v1.x npm audit fix (#1780)
c95cc09 Add typings exports (#1623)
ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
2a15851 [v1.x] fix: disallow null (i...
Description has been truncated

… updates Bumps the npm_and_yarn group with 22 updates in the / directory: | Package | From | To | | --- | --- | --- | | [nodemailer](https://github.com/nodemailer/nodemailer) | `7.0.9` | `8.0.5` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.3.6` | `6.4.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [uuid](https://github.com/uuidjs/uuid) | `10.0.0` | `14.0.0` | | [jspdf](https://github.com/parallax/jsPDF) | `2.5.2` | `4.2.1` | | [next](https://github.com/vercel/next.js) | `15.5.3` | `15.5.15` | | [webpack](https://github.com/webpack/webpack) | `5.101.3` | `5.104.1` | | @isaacs/brace-expansion | `5.0.0` | `5.0.1` | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.20.0` | `1.29.0` | | [axios](https://github.com/axios/axios) | `1.12.2` | `1.16.0` | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.0.5` | `5.3.1` | | [bn.js](https://github.com/indutny/bn.js) | `4.12.2` | `4.12.3` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [protobufjs](https://github.com/protobufjs/protobuf.js) | `6.11.4` | `6.11.6` | | [rollup](https://github.com/rollup/rollup) | `4.50.1` | `4.60.2` | | [svgo](https://github.com/svg/svgo) | `2.8.0` | `2.8.2` | | [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.13` | | [undici](https://github.com/nodejs/undici) | `6.21.3` | `6.25.0` | Bumps the npm_and_yarn group with 3 updates in the /apps/uaito directory: [uuid](https://github.com/uuidjs/uuid), [jspdf](https://github.com/parallax/jsPDF) and [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /packages/anthropic directory: [uuid](https://github.com/uuidjs/uuid). Bumps the npm_and_yarn group with 1 update in the /packages/api directory: [uuid](https://github.com/uuidjs/uuid). Bumps the npm_and_yarn group with 1 update in the /packages/google directory: [uuid](https://github.com/uuidjs/uuid). Bumps the npm_and_yarn group with 1 update in the /packages/huggingFace directory: [uuid](https://github.com/uuidjs/uuid). Bumps the npm_and_yarn group with 1 update in the /packages/openai directory: [uuid](https://github.com/uuidjs/uuid). Bumps the npm_and_yarn group with 1 update in the /packages/sdk directory: [uuid](https://github.com/uuidjs/uuid). Updates `nodemailer` from 7.0.9 to 8.0.5 - [Release notes](https://github.com/nodemailer/nodemailer/releases) - [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md) - [Commits](nodemailer/nodemailer@v7.0.9...v8.0.5) Updates `vite` from 6.3.6 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `jspdf` from 2.5.2 to 4.2.1 - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v2.5.2...v4.2.1) Updates `next` from 15.5.3 to 15.5.15 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.3...v15.5.15) Updates `webpack` from 5.101.3 to 5.104.1 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.101.3...v5.104.1) Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `@modelcontextprotocol/sdk` from 1.20.0 to 1.29.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.0...v1.29.0) Updates `axios` from 1.12.2 to 1.16.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.12.2...v1.16.0) Updates `basic-ftp` from 5.0.5 to 5.3.1 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.0.5...v5.3.1) Updates `bn.js` from 4.12.2 to 4.12.3 - [Release notes](https://github.com/indutny/bn.js/releases) - [Changelog](https://github.com/indutny/bn.js/blob/master/CHANGELOG.md) - [Commits](indutny/bn.js@v4.12.2...v4.12.3) Updates `dompurify` from 2.5.8 to 3.4.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@2.5.8...3.4.2) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `follow-redirects` from 1.15.11 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) Updates `handlebars` from 4.7.8 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `protobufjs` from 6.11.4 to 6.11.6 - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@v6.11.4...v6.11.6) Updates `rollup` from 4.50.1 to 4.60.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.50.1...v4.60.2) Updates `svgo` from 2.8.0 to 2.8.2 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v2.8.2) Updates `tar` from 7.4.3 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.4.3...v7.5.13) Updates `undici` from 6.21.3 to 6.25.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.21.3...v6.25.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `jspdf` from 2.5.2 to 4.2.1 - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v2.5.2...v4.2.1) Updates `next` from 15.5.3 to 15.5.15 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.3...v15.5.15) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) Updates `uuid` from 10.0.0 to 14.0.0 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v14.0.0) --- updated-dependencies: - dependency-name: nodemailer dependency-version: 8.0.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: jspdf dependency-version: 4.2.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.15 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.29.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: basic-ftp dependency-version: 5.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: bn.js dependency-version: 4.12.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: protobufjs dependency-version: 6.11.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 2.8.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 6.25.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: jspdf dependency-version: 4.2.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.15 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 4, 2026

dependabot Bot mentioned this pull request May 4, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #35

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump the npm_and_yarn group across 8 directories with 23 updates#36

chore(deps): bump the npm_and_yarn group across 8 directories with 23 updates#36
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0663e12f74

dependabot Bot commented on behalf of github May 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github May 4, 2026

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

v8.0.0

8.0.0 (2026-02-04)

8.0.5 (2026-04-07)

Bug Fixes

8.0.4 (2026-03-25)

Bug Fixes

8.0.3 (2026-03-18)

Bug Fixes

8.0.2 (2026-03-09)

Bug Fixes

8.0.1 (2026-02-07)

Bug Fixes

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

Bug Fixes

v6.4.2

v6.4.1

v6.4.0

v6.3.7

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

6.3.7 (2025-10-14)

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

Features

Bug Fixes

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

v12.0.1

12.0.1 (2026-04-29)

Bug Fixes

v12.0.0

12.0.0 (2025-09-05)

14.0.0 (2026-04-19)

Security

⚠ BREAKING CHANGES

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

Bug Fixes

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

Features

Bug Fixes

11.1.0 (2025-02-19)

v4.2.1

What's Changed

v4.2.0

What's Changed

`lodash.*` modular packages